CVE-2026-15692: Tenda BE12 Pro Stack-Based Buffer Overflow Vulnerability
A stack-based buffer overflow vulnerability, identified as CVE-2026-15692, exists in Tenda BE12 Pro firmware version 16.03.66.23's `fromSafeUrlFilter` function, allowing remote attackers to achieve arbitrary code execution by manipulating the 'page' argument via a crafted HTTP request, with a public exploit available.
A critical stack-based buffer overflow vulnerability, tracked as CVE-2026-15692, has been discovered in the Tenda BE12 Pro wireless router, specifically in firmware version 16.03.66.23. The flaw resides within the fromSafeUrlFilter function of the /goform/SafeUrlFilter file. Attackers can remotely exploit this weakness by sending a specially crafted HTTP request that manipulates the page argument. This manipulation leads to a buffer overflow, which can be leveraged to achieve arbitrary code execution on the device. The vulnerability carries a CVSS v3.1 base score of 8.8 (High) and is particularly concerning as an exploit has been made publicly available, increasing the likelihood of widespread exploitation. This vulnerability affects the device's core functionality, enabling potential compromise of network infrastructure.
Attack Chain
- An attacker, with network access to the Tenda BE12 Pro device, identifies the vulnerable
/goform/SafeUrlFilterendpoint. - The attacker crafts an HTTP POST request targeting this endpoint.
- The request includes a
pageargument within thecs-uri-querythat is malformed or excessively long, designed to exceed the buffer allocated for it in thefromSafeUrlFilterfunction. - The vulnerable
fromSafeUrlFilterfunction attempts to process the manipulatedpageargument, triggering a stack-based buffer overflow. - The overflow overwrites adjacent memory regions on the stack, allowing the attacker to inject and execute arbitrary code.
- Upon successful exploitation, the attacker gains remote code execution capabilities on the Tenda BE12 Pro router.
- This RCE can lead to full compromise of the device, allowing the attacker to establish persistence, exfiltrate data, or pivot to other systems on the internal network.
Impact
Successful exploitation of CVE-2026-15692 grants remote attackers arbitrary code execution on the Tenda BE12 Pro router. This can lead to a complete compromise of the affected device, resulting in a loss of confidentiality, integrity, and availability of the network traffic passing through the router. Attackers could redirect traffic, steal sensitive information, use the router as a foothold for further attacks on the internal network, or disrupt internet access for connected users. As a critical network device, its compromise can severely impact business operations and data security. The public availability of exploit details increases the risk of targeted and widespread attacks.
Recommendation
- Immediately update Tenda BE12 Pro devices to a patched firmware version when available to remediate CVE-2026-15692.
- Deploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-15692 by monitoring webserver logs for suspicious
cs-uri-querypatterns on/goform/SafeUrlFilter. - Implement network segmentation to isolate critical systems and reduce the potential impact of compromised edge devices like routers.
- Review web server access logs for requests matching the patterns described in the Sigma rule and any associated IOCs from the references.
Detection coverage 1
Detects CVE-2026-15692 Exploitation - Tenda BE12 Pro Overflow Attempt
highDetects CVE-2026-15692 exploitation attempts targeting Tenda BE12 Pro routers via a stack-based buffer overflow in the /goform/SafeUrlFilter endpoint by looking for suspicious characters or patterns in the 'page' argument.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
6
url
| Type | Value |
|---|---|
| url | https://github.com/cve-a/dexingzhiqing/issues/2 |
| url | https://vuldb.com/cve/CVE-2026-15692 |
| url | https://vuldb.com/submit/856010 |
| url | https://vuldb.com/vuln/378239 |
| url | https://vuldb.com/vuln/378239/cti |
| url | https://www.tenda.com.cn/ |